Kangaroos in Side-Channel Attacks

  • Tanja Lange
  • Christine van Vredendaal
  • Marnix Wakker
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8968)


Side-channel attacks are a powerful tool to discover the cryptographic secrets of a chip or other device but only too often do they require too many traces or leave too many possible keys to explore. In this paper we show that for side channel attacks on discrete-logarithm-based systems significantly more unknown bits can be handled by using Pollard’s kangaroo method: if \(b\) bits are unknown then the attack runs in \(2^{b/2}\) instead of \(2^b\). If an attacker has many targets in the same group and thus has reasons to invest in precomputation, the costs can even be brought down to \(2^{b/3}\).

Usually the separation between known and unknown keybits is not this clear cut – they are known with probabilities ranging between 100 % and 0 %. Enumeration and rank estimation of cryptographic keys based on partial information derived from cryptanalysis have become important tools for security evaluations. They make the line between a broken and secure device more clear and thus help security evaluators determine how high the security of a device is. For symmetric-key cryptography there has been some recent work on key enumeration and rank estimation, but for discrete-logarithm-based systems these algorithms fail because the subkeys are not independent and the algorithms cannot take advantage of the above-mentioned faster attacks. We present \(\epsilon \)-enumeration as a new method to compute the rank of a key by using the probabilities together with (variations of) Pollard’s kangaroo algorithm and give experimental evidence.


Side-channel attacks Template attacks Key enumeration Rank estimation Discrete logarithms Pollard-kangaroo method Precomputation 


  1. 1.
    Bernstein, D.J., Lange, T.: Computing small discrete logarithms faster. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 317–338. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J., Lange, T., Schwabe, P.: On the correct use of the negation map in the Pollard rho method. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 128–146. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  3. 3.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  4. 4.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  5. 5.
    Galbraith, S.D., Pollard, J.M., Ruprai, R.S.: Computing discrete logarithms in an interval. Math. Comput. 82(282), 1181–1195 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Galbraith, S., Ruprai, R.S.: An improvement to the Gaudry-Schost algorithm for multidimensional discrete logarithm problems. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 368–382. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Gaudry, P., Schost, É.: A low-memory parallel version of Matsuo, Chao, and Tsujii’s algorithm. In: Buell, D.A. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 208–222. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  8. 8.
    Gopalakrishnan, K., Thériault, N., Yao, C.Z.: Solving discrete logarithms from partial knowledge of the key. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) Indocrypt 2007. LNCS, vol. 4859, pp. 224–237. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  9. 9.
    Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer-Verlag New York Inc., Secaucus (2003) Google Scholar
  10. 10.
    Pan, J., van Woudenberg, J.G.J., den Hartog, J.I., Witteman, M.F.: Improving DPA by peak distribution analysis. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 241–261. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Pollard, J.M.: Monte Carlo methods for index computation (mod p). Math. Comput. 32, 918–924 (1978)zbMATHMathSciNetGoogle Scholar
  12. 12.
    Pollard, J.M.: Kangaroos, monopoly and discrete logarithms. J. Cryptol. 13(4), 437–447 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Shanks, D.: Class number, a theory of factorization, and genera. In: Lewis, D.J. (ed.) 1969 Number Theory Institute. Proceedings of Symposia in Pure Mathematics, Providence, Rhode Island, vol. 20, pp. 415–440. American Mathematical Society (1971)Google Scholar
  14. 14.
    Stein, A., Teske, E.: The parallelized Pollard kangaroo method in real quadratic function fields. Math. Comput. 71(238), 793–814 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Straus, E.G.: Addition chains of vectors (problem 5125). Am. Math. Mon. 70, 806–808 (1964). MathSciNetGoogle Scholar
  16. 16.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)CrossRefzbMATHGoogle Scholar
  17. 17.
    Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  18. 18.
    Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. 19.
    Walter, C.D.: Sliding windows succumbs to big mac attack. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  20. 20.
    Witteman, M.F., van Woudenberg, J.G.J., Menarini, F.: Defeating RSA multiply-always and message blinding countermeasures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 77–88. Springer, Heidelberg (2011) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Tanja Lange
    • 1
  • Christine van Vredendaal
    • 1
    • 2
  • Marnix Wakker
    • 2
  1. 1.Department of Mathematics and Computer ScienceEindhoven University of TechnologyEindhovenThe Netherlands
  2. 2.Brightsight B.V.DelftThe Netherlands

Personalised recommendations